- From: Paul Leach <paulle@microsoft.com>
- Date: Wed, 28 Feb 96 17:48:47 PST
- To: http-wg-request%cuckoo.hpl.hp.com@hplb.hpl.hp.com, john@math.nwu.edu
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Peter said: ---------- ] From: Peter J Churchyard <pjc@trusted.com> ] To: <"john@math.nwu.edu">; <john@math.nwu.edu> ] Cc: <"http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com">; ] <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com> ] Subject: Re: Digesting the digest... ] Date: Wednesday, February 28, 1996 2:10PM ] ] As I see it the optional message-digest and or digest-messagedigest is ] only advisory since it can be removed in transit and the receiver doesn't ] know it was there.. A client that cares about modification in transit can reject repsonses without it, when talking to a server that it knows supplies it. Or see below. ] ] We might want to put into the "digest hashed data" a flag that is set if ] you also sent a Digest-MessageDigest so that it's removal could be detected. That's not what you need. The client needs to be able to ask the server to send Digest-MessageDigest. A new parameter in the Authorization field is what you want. If it got snipped out, then the client wouldn't get the D-MD it asked for. If the client sent message= in the Authorization header, and the attacker removes it, I don't have a good answer. The server could refuse to accept requests without message= in the Authorization if it cared enough. A flag in the WWW-Authenticate header could signal the client that it needed to send <message-digest>. So, how about the following parameter for both Authorization and WWW-Authenticate headers: digest-required=<"message" | "header" | "response"> where "message" means the receiver must include message=<message-digest> in the response, "header" means the receiver must include header=<header-digest> in the response, and "response" means the receiver must include response=<response-digest> in the response.
Received on Wednesday, 28 February 1996 18:18:22 UTC